Accessibility disclaimer: To obtain information contained in document files on this page in an accessible format please contact the Human Subjects Office at (317) 274-8289. Or email the IU Institutional Review Board at firstname.lastname@example.org
HRPP Policy - Use of PHI
About This Policy
- Effective date:
- Last updated:
- Policy Contact:
IU Human Subjects Office
This policy applies to the conduct of human subjects research subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule under the jurisdiction of the IU Human Research Protection Program (HRPP). This includes research under the oversight of the IU IRBs and research for which IU or its affiliates are relying on an external IRB for oversight.Back to top
The use of Protected Health Information (PHI) is always allowable for treatment, payment, and health care operations. PHI may also be used for research purposes, including recruitment, in the circumstances as described below.
PHI may be used for research purposes when the subject provides authorization. An authorization to use and disclose PHI must be written in plain language and must include all of the following elements:
- Name and address of the subject, if the study team is seeking release of medical records
- A specific and meaningful description of the information to be used or disclosed, written in a language understandable to the subject
- The name or identification of the persons or class of persons authorized to make disclosures of identifiable health information (i.e., who is releasing information)
- The name or identification of the persons or class of persons authorized to receive the identifiable health information and to use the information for research-related purposes (i.e., research personnel and other individuals who are part of the research team, described as broadly as possible to cover all possible circumstances)
- A description of the purpose of each use or disclosure of identifiable health information
- An expiration date for the authorization, such as a date, an event, or a statement like, "end of research study"
- The individual's signature (or that of his/her legally authorized representative, including a description of that representative's authority to act on behalf of the individual, if applicable) and the date, unless the Privacy Board waives this requirement
- A statement that the individual may revoke the authorization in writing to a member of the research team, except to the extent that research personnel had already acted in good faith on the signed authorization
- A statement that an individual's clinical treatment may not be conditioned upon whether or not the individual signs the research authorization; however, participation in research may be conditioned on a signed authorization
- A statement that information disclosed under the authorization could potentially be re-disclosed by the recipient and would no longer be protected under federal privacy regulations
Unless an alteration is granted per 2.2, HIPAA authorization is documented by the use of an approved, written authorization document, dated by the prospective subject or prospective subject's LAR at the time of authorization. A copy is given to the person signing the form.
PHI may be used or disclosed for research purposes when a Privacy Board approves a waiver of authorization. In addition, the Privacy Board may approve an alteration to the authorization requirements described in 2.1 above. The Privacy Board may approve such a waiver or alteration if it determines all of the following:
- The use or disclosure of PHI involves no more than minimal risk to the confidentiality to the subject, based on the presence of the following elements:
- An adequate plan exists to protect the identifiers from improper use and disclosure
- An adequate plan exists to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law
- There is adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure of PHI would be permitted by the HIPAA Privacy Rule
- The research could not practicably be conducted without the waiver
- The research could not practicably be conducted without access to and use of the PHI
An IRB may serve as the Privacy Board for purposes of granting waivers of authorization pursuant to this section. Uses or disclosures of PHI made pursuant to a waiver of authorization or alteration of authorization requirements are subject to the minimum necessary rules.
Research subject to VA regulations is not eligible for an alteration of the authorization requirements, but the Privacy Board may consider a waiver of authorization for this research.
De-identified health information is not considered PHI and may be used or disclosed for research purposes without authorization from the research subject or a waiver of authorization from a Privacy Board.
Research personnel using de-identified information must be able to provide documentation, upon request, that the health information was de-identified by one of the following two methods/processes:
- Expert Determination: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information, and, documents in writing the methods and results of the analysis that justifies such determination.
- Safe Harbor Method: The following identifiers concerning the individual or of the individual's employer, relatives, and household members are removed:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code
- Elements of dates (except year) directly related to an individual including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary identifiers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web universal resource locators (URL)
- Internet protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
The following demographic information may be used and still be considered de-identified:
- Age with dates limited to the year (age 90 and over must be aggregated to 90+ to prevent the identification of very old individuals)
- Aggregated ZIP codes in the form of the initial three-digit ZIP codes that contain more than 20,000 people
- Marital status
- Codes that can be affixed to the research record that will permit the information to be reidentified by the covered entity if necessary, provided that the key to such a code is not accessible to the research personnel requesting to use or disclose the de-identified health information. Codes may not be a derivative of the individual's name (e.g., initials), Social Security number, or other identifiable numerical codes (e.g., birth date, medical record number, fax number). If such a code is utilized, the data will not be considered de-identified.
Research personnel must be able to provide documentation upon request that the individual creating the de-identified data set has legitimate access to the PHI.
A Limited Data Set excludes direct identifiers and may be used or disclosed for research purposes without authorization from the research subject or a waiver of authorization from a Privacy Board. A Limited Data Set may not include any of the identifiers which must be removed for the safe harbor method above, with the exception of the following direct identifiers:
- Town, city, county, precinct, state and ZIP code
- All elements of dates directly related to an individual, including birth date, admission date, discharge date, and date of death
- Unique identifying numbers, characteristics, and codes
For any research use of a Limited Data Set, the covered entity disclosing the Limited Data Set must enter into a Data Use Agreement with the recipient of the information.
Uses or disclosures of PHI as Limited Data Sets for research purposes are subject to the minimum necessary rules.
PHI of decedents deceased less than 50 years may be used or disclosed for research purposes without authorization from the research subject or a waiver of authorization from a Privacy Board. Research personnel must provide documentation of all of the following upon request:
- The use will be solely for research on the identifiable health information of decedents
- The PHI sought is necessary for the purposes of the research
- Documentation of the death of the individual about whom information is being sought
PHI of individuals deceased more than 50 years is not protected under the HIPAA Privacy Rule and not subject to this policy.
PHI may be used for research purposes without authorization from the subject or a waiver of authorization from a Privacy Board for reviews preparatory to research (i.e., feasibility studies) when all the following are true:
- The use or disclosure of identifiable health information is solely to prepare a research protocol or for similar purposes that are preparatory to research
- Research personnel shall not record or remove the information from the covered entity. Research personnel may access PHI electronically in order to review the information, but may not record, store, or otherwise retain the information after the review.
- The information sought is necessary for the purposes of the research (e.g., a feasibility analysis to determine the number of potential subjects with a certain disease for submission in a grant)
- This use and disclosure does not include identifying specific individuals for recruitment purposes, but rather identifying the number of individuals with specific criteria to determine or demonstrate the study team's ability to successfully recruit
Uses or disclosures of PHI for reviews that are preparatory to research are subject to the minimum necessary rules.
The study team describes the use of PHI in the human subjects application and submits the mechanism for obtaining HIPAA authorization, including any translated language, when applicable.
For research subject to VA regulations, subjects must provide written HIPAA authorization on VA Form 10-0493 unless HIPAA authorization is combined with the informed consent document, or waived.
A request for waiver or alteration of authorization requirements is submitted to the Privacy Board for review and approval. When the Privacy Board approves such a waiver or alteration, it must document all of the following:
- Privacy Board of record
- Date of Privacy Board approval of the waiver
- Statement that the waiver of HIPAA authorization satisfies the criteria described in 2.2 above
- A brief description of the PHI for which the Privacy Board has determined use or disclosure to be necessary
- Identification of the Privacy Board review procedure used to approve the waiver
- Signature of the Chair of the Privacy Board or a qualified voting member designated by the Chair
Protocol-specific mechanisms for ensuring confidentiality of research data, including PHI, are also described by the study team in the human subjects application. The IRB considers the information in the IRB application and documents its determinations as appropriate. IU and its affiliates have agreed that identified systems provide adequate provisions to protect confidentiality of research data -see IU HRPP Guidance on HIPAA. If research personnel will use only these systems to collect and/or store research data, the IRB may find that adequate provisions exist to maintain confidentiality of data without additional information.
When HIPAA authorization is required, authorization must be documented as follows, unless the IRB grants an alteration per 2.2:
- Subjects (or their legally authorized representative) must sign a document with the required elements of authorization prior to participating in research activities subject to HIPAA.
- Signature may be provided via physical, "wet" signature, a physical or digital copy of a wet signature, or verified electronic signature via encrypted digital signature, electronic signature pad, voice print, digital fingerprint, or signature made with a fingerprint on a touchscreen.
- For VA research, authorization may be documented electronically so long as the process provides reasonable assurance that such consent is rendered by the proper individual and the subject dates the consent as is typical, or the software provides the current date when signed.
- The subject may fax or email a signed copy of the authorization to the research site (preferably to the interviewer and/or research personnel). Unless the IRB approves otherwise, the study team must receive a copy of the signed authorization prior to beginning research procedures.
- If the subject is physically unable to provide a signature, he/she makes a mark on the authorization and the study team must document the circumstances. If the subject is unable to make a mark, the study team must request a subject-specific waiver of HIPAA authorization.
- The authorization must be dated with the date of signature.
PHI may be used for recruitment purposes (i.e., identification and screening) without authorization from the subject or a waiver of authorization from a Privacy Board if the research personnel is a part of the workforce of the covered entity who owns the PHI. If the research personnel using PHI for recruitment purposes is not a part of the workforce of the covered entity, authorization from the subject or waiver of authorization from a Privacy Board for recruitment purposes is required.
For research subject to VA regulations, authorization from the subject or a waiver of authorization for research from the Privacy Board is required before research personnel may access, obtain, and/or utilize protected health information for recruitment activities.
When PHI will be created through self-report of detailed PHI, or interventions with potential subjects that are being conducted solely for the purposes of determining eligibility for the research, authorization from the subject or a waiver of authorization from a Privacy Board is required.
Pyschotherapy notes may only be used for research purposes, including recruitment, with authorization from the subject.
HIPAA authorization language must be revised whenever there is a change in any of the core elements of the authorization described in 2.1 above, including a change to the persons or classes of persons who will receive PHI. Revisions to HIPAA authorization language must be reviewed and approved by the IRB prior to implementation. Newly enrolled subjects must sign the most recently approved version of the HIPAA authorization language.
Subjects who participate in research have the right to access PHI (i.e., inspect and obtain a copy) about them which is stored as part of the research record. Subjects participating in treatment studies may be temporarily suspended from accessing their research records for as long as the research is in progress, provided that:
- The subject agreed to the denial of access in the HIPAA authorization
- The subject's right of access will be reinstated upon completion of the research
A research subject may revoke authorization, in writing, to a person on the research team, at any time. The revocation will be applicable to the study or studies specified by the individual.
When a subject revokes authorization, data collected on the subject to the point of the subject's revocation remains part of the study records and may not be deleted. Copies of revocations of authorizations should be maintained as part of the research record.
Individuals found to be in violation of this policy may be subject to sanctions relating to their participation in research with human subjects, up to and including permanent suspension or debarment from engaging in research with human subjects at Indiana University.Back to top
- AAHRPP Standards
- Element II.3.D
- Element II.3.E
- 45 CFR 164, especially Subpart E
- Indiana Code 16-39-1-4
- IU University Compliance: HIPAA Privacy and Security Compliance
- Health Information Privacy, especially:
- Memorandum of Understanding Between Richard L. Roudebush Veterans Affairs Medical Center and Indiana University Concerning Utilization of Indiana University's Institutional Review Boards
- VHA Directive 1200.05 - Requirements for the Protection of Human Subjects in Research, espescially section 23
authorization, confidentiality, covered entity, data use agreement, de-identified, device, HIPAA, identifier, legally authorized representative (LAR), limited data set, minimal risk, mininum necessary, privacy, privacy board, privacy rule, protected health information, psychotherapy notes, recruitment, research, research personnel, suspension, written/in writingBack to top